permit 0.9.0

data/spec/permit/permit_rules_spec.rb

@@ -0,0 +1,273 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+include Permit
+
+module Permit::Specs
+  describe PermitRules do
+    describe "#initialize" do
+      it "should have an empty hash for allow rules" do
+        rules = PermitRules.new nil
+        rules.action_allow_rules.should == {}
+      end
+
+      it "should have an empty hash for deny rules" do
+        rules = PermitRules.new nil
+        rules.action_deny_rules.should == {}
+      end
+
+      it "should set the logger" do
+        rules = PermitRules.new "some logger"
+        rules.logger.should == "some logger"
+      end
+
+      it "should set the options" do
+        rules = PermitRules.new nil, :default_access => :allow
+        rules.options[:default_access].should == :allow
+      end
+    end
+
+    describe "#allow" do
+      before do
+        @rules = PermitRules.new nil
+      end
+
+      it "should raise an error with no action" do
+        lambda {
+          @rules.allow :admin
+        }.should raise_error(PermitConfigurationError, "At least one action must be given to authorize access for.") 
+
+        lambda {
+          @rules.allow :admin, :to => nil
+        }.should raise_error(PermitConfigurationError, "At least one action must be given to authorize access for.") 
+      end
+
+      it "should raise an error if multiple actions are given with :all" do
+        lambda {
+          @rules.allow :admin, :to => [:all, :show]
+        }.should raise_error(PermitConfigurationError, "If :all is specified for :to/:from then no other actions may be given.") 
+      end
+
+      it "should accept one action" do
+        r = @rules.allow :admin, :to => :show
+        @rules.action_allow_rules.should have(1).item
+        @rules.action_allow_rules[:show].should have(1).item
+        @rules.action_allow_rules[:show][0].should == r
+      end
+
+      it "should accept multiple actions" do
+        r = @rules.allow :admin, :to => [:show, :index]
+        @rules.action_allow_rules.should have(2).items
+        @rules.action_allow_rules[:show].should have(1).item
+        @rules.action_allow_rules[:show][0].should == r
+        @rules.action_allow_rules[:index].should have(1).item
+        @rules.action_allow_rules[:index][0].should == r
+      end
+
+      it "should expand alias :read" do
+        r = @rules.allow :admin, :to => :read
+        @rules.action_allow_rules[:show].should have(1).item
+        @rules.action_allow_rules[:show][0].should == r
+        @rules.action_allow_rules[:index].should have(1).item
+        @rules.action_allow_rules[:index][0].should == r
+      end
+
+      it "should expand aliases" do
+        {
+          :create => [:new, :create], 
+          :update => [:edit, :update], 
+          :destroy => [:delete, :destroy],
+          :read => [:index, :show], 
+          :write => [:new, :create, :edit, :update]
+        }.each do |alias_action, actions|
+          rules = PermitRules.new nil
+          r = rules.allow :admin, :to => alias_action
+          actions.each do |action|
+            rules.action_allow_rules[action].should have(1).item
+            rules.action_allow_rules[action][0].should == r
+          end
+        end
+      end
+
+      it "should not have multiple entries for the same action" do
+        r = @rules.allow :admin, :to => [:show, :index, :show]
+        @rules.action_allow_rules[:show].should have(1).item
+        @rules.action_allow_rules[:show][0].should == r
+        @rules.action_allow_rules[:index].should have(1).item
+        @rules.action_allow_rules[:index][0].should == r
+      end
+
+      it "should not have nil actions" do
+        r = @rules.allow :admin, :to => [:new, nil]
+        @rules.action_allow_rules[:new].should have(1).item
+        @rules.action_allow_rules[:new][0].should == r
+      end
+    end
+
+    describe "#deny" do
+      before do
+        @rules = PermitRules.new nil
+      end
+
+      it "should raise an error with no action" do
+        lambda {
+          @rules.deny :admin
+        }.should raise_error(PermitConfigurationError, "At least one action must be given to authorize access for.") 
+
+        lambda {
+          @rules.deny :admin, :from => nil
+        }.should raise_error(PermitConfigurationError, "At least one action must be given to authorize access for.") 
+      end
+
+      it "should raise an error if multiple actions are given with :all" do
+        lambda {
+          @rules.deny :admin, :from => [:all, :show]
+        }.should raise_error(PermitConfigurationError, "If :all is specified for :to/:from then no other actions may be given.") 
+      end
+
+      it "should accept one action" do
+        r = @rules.deny :admin, :from => :show
+        @rules.action_deny_rules.should have(1).item
+        @rules.action_deny_rules[:show].should have(1).item
+        @rules.action_deny_rules[:show][0].should == r
+      end
+
+      it "should accept multiple actions" do
+        r = @rules.deny :admin, :from => [:show, :index]
+        @rules.action_deny_rules.should have(2).items
+        @rules.action_deny_rules[:show].should have(1).item
+        @rules.action_deny_rules[:show][0].should == r
+        @rules.action_deny_rules[:index].should have(1).item
+        @rules.action_deny_rules[:index][0].should == r
+      end
+
+      it "should expand alias :read" do
+        r = @rules.deny :admin, :from => :read
+        @rules.action_deny_rules[:show].should have(1).item
+        @rules.action_deny_rules[:show][0].should == r
+        @rules.action_deny_rules[:index].should have(1).item
+        @rules.action_deny_rules[:index][0].should == r
+      end
+
+      it "should expand aliases" do
+        {
+          :create => [:new, :create], 
+          :update => [:edit, :update], 
+          :destroy => [:delete, :destroy],
+          :read => [:index, :show], 
+          :write => [:new, :create, :edit, :update]
+        }.each do |alias_action, actions|
+          rules = PermitRules.new nil
+          r = rules.deny :admin, :from => alias_action
+          actions.each do |action|
+            rules.action_deny_rules[action].should have(1).item
+            rules.action_deny_rules[action][0].should == r
+          end
+        end
+      end
+
+      it "should not have multiple entries for the same action" do
+        r = @rules.deny :admin, :from => [:show, :index, :show]
+        @rules.action_deny_rules[:show].should have(1).item
+        @rules.action_deny_rules[:show][0].should == r
+        @rules.action_deny_rules[:index].should have(1).item
+        @rules.action_deny_rules[:index][0].should == r
+      end
+
+      it "should not have nil actions" do
+        r = @rules.deny :admin, :from => [:new, nil]
+        @rules.action_deny_rules[:new].should have(1).item
+        @rules.action_deny_rules[:new][0].should == r
+      end
+    end
+
+    describe "#permitted?" do
+      before do
+        @logger = mock("logger")
+        @logger.stub!(:info).and_return(nil)
+      end
+
+      context "for deny rules" do
+        before do
+          @rules = PermitRules.new @logger, :default_access => :allow
+        end
+
+        describe "when a person matches an :all actions deny rule" do
+          it "should return false" do
+            @rules.deny :everyone, :from => :delete
+            @rules.deny :everyone, :from => :all
+            @rules.permitted?(Guest.new, :delete, binding).should be_false
+          end
+        end
+
+        describe "when a person matches a deny rule" do
+          it "should return false" do
+            @rules.deny :everyone, :from => :show
+            @rules.permitted?(Guest.new, :show, binding).should be_false
+          end
+        end
+
+        describe "when a person matches a deny and an allow rule" do
+          it "should return false" do
+            @rules.allow :everyone, :to => :create
+            @rules.deny :everyone, :from => :create
+            @rules.permitted?(Guest.new, :create, binding).should be_false
+          end
+        end
+      end
+
+      context "for allow rules" do
+        before do
+          @rules = PermitRules.new @logger
+        end
+
+        describe "when a person matches an :all actions allow rule" do
+          it "should return true" do
+            @rules.allow :everyone, :to => :all
+            @rules.permitted?(Guest.new, :index, binding).should be_true
+          end
+        end
+
+        describe "when a person matches an allow rule" do
+          it "should return true" do
+            @rules.allow :everyone, :to => :new
+            @rules.permitted?(Guest.new, :new, binding).should be_true
+          end
+        end
+      end
+
+
+      describe "when a person doesn't match any rules" do
+        before {@default = Permit::Config.default_access}
+
+        describe "and the :default_access option is not set" do
+          it "should return false if Permit::Config#default_access is not set to :allow" do
+            Permit::Config.default_access = :deny
+            rules = PermitRules.new @logger
+            rules.permitted?(Guest.new, :show, binding).should be_false
+          end
+
+          it "should return true if Permit::Config#default_access is set to :allow" do
+            Permit::Config.default_access = :allow
+            rules = PermitRules.new @logger
+            rules.permitted?(Guest.new, :show, binding).should be_true
+          end
+        end
+
+        describe "and the :default_access option is set" do
+          it "should return true if the option is set to :allow" do
+            Permit::Config.default_access = :deny
+            rules = PermitRules.new @logger, :default_access => :allow
+            rules.permitted?(Guest.new, :index, binding).should be_true
+          end
+
+          it "should return false if the option is not set to :allow" do
+            Permit::Config.default_access = :allow
+            rules = PermitRules.new @logger, :default_access => :deny
+            rules.permitted?(Guest.new, :index, binding).should be_false
+          end
+        end
+
+        after {Permit::Config.default_access = @default}
+      end
+    end
+  end
+end

data/spec/permit_spec.rb

@@ -0,0 +1,58 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+describe Permit::Config do
+  describe "defaults" do
+    it "controller_subject_method should default to nil" do
+      Permit::Config.controller_subject_method.should be_nil
+    end
+
+    it "default_access should be :deny" do
+      Permit::Config.default_access.should == :deny
+    end
+  end
+
+  describe "#set_core_models" do
+    before :all do
+      @auth = Permit::Config.authorization_class
+      @person = Permit::Config.person_class
+      @role = Permit::Config.role_class
+    end
+
+    it "should set the class variables" do
+      Permit::Config.set_core_models(Permit::Specs::Authorization, Permit::Specs::Person, Permit::Specs::Role)
+      Permit::Config.authorization_class.should be(Permit::Specs::Authorization)
+      Permit::Config.person_class.should be(Permit::Specs::Person)
+      Permit::Config.role_class.should be(Permit::Specs::Role)
+    end
+
+    it "should setup the permit_* methods on the models" do
+      Permit::Specs::Authorization.should_receive(:permit_authorization)
+      Permit::Specs::Person.should_receive(:permit_person)
+      Permit::Specs::Role.should_receive(:permit_role)
+      Permit::Config.set_core_models(Permit::Specs::Authorization, Permit::Specs::Person, Permit::Specs::Role)
+    end
+
+    after :all do
+      Permit::Config.set_core_models(@auth, @person, @role)
+    end
+  end
+
+  describe "#reset_core_models" do
+    before :all do
+      @auth = Permit::Config.authorization_class
+      @person = Permit::Config.person_class
+      @role = Permit::Config.role_class
+    end
+
+    it "should reset the core model classes" do
+      Object.should_receive(:const_get).with("Permit::Specs::Authorization").and_return(Permit::Specs::Authorization)
+      Object.should_receive(:const_get).with("Permit::Specs::Person").and_return(Permit::Specs::Person)
+      Object.should_receive(:const_get).with("Permit::Specs::Role").and_return(Permit::Specs::Role)
+      Permit::Config.reset_core_models
+    end
+
+    after :all do
+      Permit::Config.set_core_models(@auth, @person, @role)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,73 @@
+begin
+  require File.dirname(__FILE__) + '/../../../../spec/spec_helper'
+rescue LoadError => e
+  puts e
+  puts "You need to install rspec in your base app"
+  exit
+end
+
+ActiveRecord::Schema.verbose = false
+
+begin
+  ActiveRecord::Base.establish_connection(:adapter => "sqlite3", :database => ":memory:")
+rescue ArgumentError
+  ActiveRecord::Base.establish_connection(:adapter => "sqlite3", :dbfile => ":memory:")
+end
+
+ActiveRecord::Schema.define(:version => 1) do
+  create_table :roles do |t|
+    t.string :key, :name, :description
+    t.boolean :requires_resource, :authorize_resource, :null => false, :default => true
+  end
+
+  create_table :people do |t|
+    t.string :name
+  end
+
+  create_table :projects do |t|
+    t.string :name
+    t.integer :owner_id
+  end
+
+  create_table :teams do |t|
+    t.string :name
+  end
+
+  create_table :people_teams, :id => false do |t|
+    t.integer :person_id, :team_id
+  end
+
+  create_table :projects_teams, :id => false do |t|
+    t.integer :project_id, :team_id
+  end
+
+  create_table :authorizations do |t|
+    t.integer :person_id, :role_id, :null => false
+    t.string :resource_type
+    t.integer :resource_id
+    t.timestamps
+  end
+
+  create_table :users do |t|
+    t.string :name
+  end
+    
+  create_table :jobs do |t|
+    t.string :key, :name, :description
+    t.boolean :requires_resource, :authorize_resource, :null => false, :default => true
+  end
+
+  create_table :entitlements do |t|
+    t.integer :user_id, :job_id, :null => false
+    t.string :resource_type
+    t.integer :resource_id
+    t.timestamps
+  end
+
+end
+
+require File.dirname(__FILE__) + "/support/models"
+require File.dirname(__FILE__) + "/support/permits_controller"
+require File.dirname(__FILE__) + "/support/helpers"
+
+Permit::Config.set_core_models(Permit::Specs::Authorization, Permit::Specs::Person, Permit::Specs::Role) #unless Permit::Config.models_defined?

data/spec/support/helpers.rb

@@ -0,0 +1,13 @@
+include Permit
+
+def new_authz(person, key, resource = :default)
+  role = Permit::Specs::Role.find_by_key key.to_s
+  role ||= Permit::Specs::Role.create :key => key.to_s, :name => key.to_s
+  resource = (resource == :default ? Permit::Specs::Project.find_or_create_by_name("test project") : resource)
+  a = Permit::Specs::Authorization.create! :person => person, :role => role, :resource => resource
+end
+
+def role(key, name = nil)
+  r = Permit::Specs::Role.find_by_key key.to_s
+  r ? r : Permit::Specs::Role.create!(:key => key.to_s, :name => (name ? name : key.to_s))
+end

data/spec/support/models.rb

@@ -0,0 +1,38 @@
+# models include Permit::Specs so that they will prefer spec models to 
+# identically named models in main app.
+module Permit::Specs
+  class Person < ActiveRecord::Base
+    include Permit::Specs
+
+    has_and_belongs_to_many :teams
+
+    def guest?
+      new_record?
+    end
+  end
+
+  class Guest
+    def guest?
+      true
+    end
+  end
+
+  class Role < ActiveRecord::Base
+    include Permit::Specs
+
+  end
+
+  class Authorization < ActiveRecord::Base
+    include Permit::Specs
+  end
+
+  class Project < ActiveRecord::Base
+    include Permit::Specs
+    permit_authorizable
+  end
+
+  class Team < ActiveRecord::Base
+    include Permit::Specs
+    permit_authorizable
+  end
+end

data/spec/support/permits_controller.rb

@@ -0,0 +1,7 @@
+class PermitsController < ActionController::Base
+  include Permit
+
+  def current_person
+
+  end
+end

data/tasks/permit_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :permit do
+#   # Task goes here
+# end

data/uninstall.rb

@@ -0,0 +1 @@
+# Uninstall hook code here

metadata

@@ -0,0 +1,107 @@
+--- !ruby/object:Gem::Specification 
+name: permit
+version: !ruby/object:Gem::Version 
+  version: 0.9.0
+platform: ruby
+authors: 
+- Steve Valaitis
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-03-27 00:00:00 -05:00
+default_executable: 
+dependencies: []
+
+description: 
+email: steve@digitalnothing.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README.mkd
+files: 
+- .gitignore
+- .yardopts
+- MIT-LICENSE
+- README.mkd
+- Rakefile
+- VERSION.yml
+- generators/permit/USAGE
+- generators/permit/permit_generator.rb
+- generators/permit/templates/authorization.rb
+- generators/permit/templates/initializer.rb
+- generators/permit/templates/migration.rb
+- generators/permit/templates/role.rb
+- init.rb
+- install.rb
+- lib/models/association.rb
+- lib/models/authorizable.rb
+- lib/models/authorization.rb
+- lib/models/person.rb
+- lib/models/role.rb
+- lib/permit.rb
+- lib/permit/controller.rb
+- lib/permit/permit_rule.rb
+- lib/permit/permit_rules.rb
+- lib/permit/support.rb
+- permit.gemspec
+- rails/init.rb
+- spec/models/alternate_models_spec.rb
+- spec/models/authorizable_spec.rb
+- spec/models/authorization_spec.rb
+- spec/models/person_spec.rb
+- spec/models/role_spec.rb
+- spec/permit/controller_spec.rb
+- spec/permit/permit_rule_spec.rb
+- spec/permit/permit_rules_spec.rb
+- spec/permit_spec.rb
+- spec/spec_helper.rb
+- spec/support/helpers.rb
+- spec/support/models.rb
+- spec/support/permits_controller.rb
+- tasks/permit_tasks.rake
+- uninstall.rb
+has_rdoc: true
+homepage: http://github.com/dnd/permit
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: A flexible authorization plugin for Ruby on Rails.
+test_files: 
+- spec/spec_helper.rb
+- spec/support/helpers.rb
+- spec/support/models.rb
+- spec/support/permits_controller.rb
+- spec/models/alternate_models_spec.rb
+- spec/models/person_spec.rb
+- spec/models/role_spec.rb
+- spec/models/authorizable_spec.rb
+- spec/models/authorization_spec.rb
+- spec/permit_spec.rb
+- spec/permit/permit_rules_spec.rb
+- spec/permit/controller_spec.rb
+- spec/permit/permit_rule_spec.rb